The NSA’s obligations to publish vulnerabilities

Microsoft recently made an argument that most commercial developers seem to believe – that security agencies, like the NSA, ought publish discovered vulnerabilities, rather than stockpile them for offensive use.

Herb Lin provides what I think is a pretty compelling counter-argument. First, the fact that stockpiling vulnerabilities might leave commercial software vulnerable for longer periods of time does not imply that the government should stop; all this suggests is that there is a cost to stockpiling “arms” (which is true of most physical arms). Lin doesn’t mention this, but there’s an additional point that if the NSA and other agencies were not allowed to stockpile vulnerabilities, they would probably just stop looking for them; it seems odd to me that no one blames Microsoft for not finding their own vulnerabilities. Second, and related, the main issue is not that the vulnerability was not patched (it actually was), but that (1) sysadmins do not always apply their patches, and (2) sysadmins use deprecated operating systems (Windows XP).

National-security law professors’ takes on the Trump leaks

There are two issues with reporting on the recent Trump intelligence leaks. First, they tend to be from constant critics of the administration, for whom “Every move, every tweet is a threat to democracy, an affront to humanity, and surely will lead to the end of life as we know it.” Second, and just as importantly, most journalists covering the story appear to know very little about how either executive law or national-security law works, and seem to selectively give passes when it suits their agenda (e.g., for the past four months, the intelligence community, after years of being excoriated as clandestine thugs threatening rule of law, are now unimpeachable heroes who should be deferred to without question).

Jack Goldsmith’s Lawfare blog has skirted both of these issues. Goldsmith, “widely considered one of the brightest stars in the conservative legal firmament,” worked in the Bush DOJ and teaches at Harvard Law. Since he is both fairly balanced and understands security law, Lawfare tends to be the best reporting on these kinds of issues (as it was during the Obama administration).

Anyway, this is a fantastic synthesis of:

(1) what happened

(2) why it is not illegal

(3) why it still matters: (a) it threatens sources and methods, both from the US and allies; (b) it threatens US alliances and intelligence-sharing agreements; © it again raises questions of how disproportionately Trump trusts Russia; and (d) it raises broader questions about how impactful Trump’s rash actions may have on world security.

Though this might beg the question as to why it matters; after all, “The 1980s are now calling to ask for their foreign policy back because you know, the Cold War has been over for 20 years.”